[ASA-202505-7] nodejs-lts-jod: denial of service

Arch Linux S · 2025-05-19 · via Arch Linux Security Advisories

ASA-202505-7 log generated external raw

[ASA-202505-7] nodejs-lts-jod: denial of service
Arch Linux Security Advisory ASA-202505-7 ========================================= Severity: High Date : 2025-05-18 CVE-ID : CVE-2025-23165 CVE-2025-23166 Package : nodejs-lts-jod Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-2872 Summary ======= The package nodejs-lts-jod before version 22.15.1-1 is vulnerable to denial of service. Resolution ========== Upgrade to 22.15.1-1. # pacman -Syu "nodejs-lts-jod>=22.15.1-1" The problems have been fixed upstream in version 22.15.1. Workaround ========== None. Description =========== - CVE-2025-23165 (denial of service) Corrupted pointer in node::fs::ReadFileUtf8(const FunctionCallbackInfo<Value>& args) when args[0] is a string. In Node.js, the ReadFileUtf8 internal binding leaks memory due to a corrupted pointer in uv_fs_s.file: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can cause unbounded memory growth, leading to a denial of service. - CVE-2025-23166 (denial of service) Improper error handling in async cryptographic operations crashes process. The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime. Impact ====== A remote attacker can exploit improper error handling and memory management flaws in Node.js to crash the process or exhaust system resources, leading to a denial of service. Specifically, malformed input may trigger a crash in asynchronous cryptographic operations, while repeated use of file system APIs with crafted input may cause unbounded memory growth. References ========== https://nodejs.org/en/blog/vulnerability/may-2025-security-releases https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#corrupted-pointer-in-nodefsreadfileutf8const-functioncallbackinfovalue-args-when-args0-is-a-string-cve-2025-23165---low https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#improper-error-handling-in-async-cryptographic-operations-crashes-process-cve-2025-23166---high https://security.archlinux.org/CVE-2025-23165 https://security.archlinux.org/CVE-2025-23166

Arch Linux Security Advisory ASA-202505-7 ========================================= Severity: High Date : 2025-05-18 CVE-ID : CVE-2025-23165 CVE-2025-23166 Package : nodejs-lts-jod Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-2872 Summary ======= The package nodejs-lts-jod before version 22.15.1-1 is vulnerable to denial of service. Resolution ========== Upgrade to 22.15.1-1. # pacman -Syu "nodejs-lts-jod>=22.15.1-1" The problems have been fixed upstream in version 22.15.1. Workaround ========== None. Description =========== - CVE-2025-23165 (denial of service) Corrupted pointer in node::fs::ReadFileUtf8(const FunctionCallbackInfo<Value>& args) when args[0] is a string. In Node.js, the ReadFileUtf8 internal binding leaks memory due to a corrupted pointer in uv_fs_s.file: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can cause unbounded memory growth, leading to a denial of service. - CVE-2025-23166 (denial of service) Improper error handling in async cryptographic operations crashes process. The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime. Impact ====== A remote attacker can exploit improper error handling and memory management flaws in Node.js to crash the process or exhaust system resources, leading to a denial of service. Specifically, malformed input may trigger a crash in asynchronous cryptographic operations, while repeated use of file system APIs with crafted input may cause unbounded memory growth. References ========== https://nodejs.org/en/blog/vulnerability/may-2025-security-releases https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#corrupted-pointer-in-nodefsreadfileutf8const-functioncallbackinfovalue-args-when-args0-is-a-string-cve-2025-23165---low https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#improper-error-handling-in-async-cryptographic-operations-crashes-process-cve-2025-23166---high https://security.archlinux.org/CVE-2025-23165 https://security.archlinux.org/CVE-2025-23166

此内容由惯性聚合(RSS阅读器)自动聚合整理，仅供阅读参考。原文来自 — 版权归原作者所有。

推荐订阅源

Arch Linux Security Advisories

ASA-202505-7 log generated external raw